Middle East Petrochem Firms Targeted

Thursday, September 18, 2014 @ 03:09 PM gHale

In the attack campaign, attackers are using a variant of the Citadel malware, originally created for the purpose of stealing money from banks and has been massively distributed on users’ PCs around the world, according to a report by Dana Tamir, director of enterprise security at Trusteer, an IBM Company.

While the use of advanced malware originally built for financial theft as a generic advanced persistent threat (APT) tool is not new, this is the first time researchers have seen Citadel used to target nonfinancial organizations in a targeted/APT-style attack in order to potentially access corporate data, steal intellectual property or gain access to secured corporate resources, such as mail systems or remote access sites, Tamir wrote.

The targets of this attack include one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials. She did not reveal the names of the companies.

The Citadel malware first came to light in 2012 as a man-in-the-browser malware designed to steal banking credentials using webinjects. Since then, malware developers extended its functionality. It now offers a wide range of functions to steal information and remotely manage infected computers, Tamir said. The malware operates according to instructions provided in a configuration file. Once Citadel is on a machine, it fetches a configuration file from one of its command-and-control servers. The configuration file instructs Citadel on which websites and applications to target, which information to steal and how to steal it.

According to an analysis of the configuration file used in this attack, the Citadel malware’s mission was to look for user access to certain URL addresses of Internet-connected systems, such as webmail, of the targeted companies. Once the browser accesses such a URL, the malware was to then grab all the information submitted by the user. This is form grabbing, or “HTTP POST” grabbing, Tamir said. When the user submits information into the system, the Web browser generates an HTTP POST request that sends the data entered to the site. The malware then intercepts the POST data before it end up encrypted and sent to the server.

To steal login credentials that provide access to the company’s webmail system, the malware looks for URLs like “http://mail.target-company.com,” which would be the login URL of the webmail system. When the user submits the login credentials, the malware grabs the username, password and any other information submitted during the login process. The information goes to the cyber criminal, who can then log in on behalf of a trusted user, access corporate emails, send malicious emails and more.

The use of massively distributed malware means attackers don’t need to spear-phish targets or design custom malware. Instead, they use mass distribution techniques to infect as many PCs as possible. These malware distribution campaigns can use malicious email attachments, drive-by downloads, watering hole attacks and social engineering schemes to infect millions of PCs around the world.

IBM Trusteer research found an average of 1 in 500 machines worldwide suffers from an infection with massively distributed APT malware at any point in time. IBM Trusteer’s Service team reports they have discovered such malware in practically every customer environment in which they’ve worked.